Applications in PHP, Go and Python are vulnerable via cgi due to ‘httpoxy’ leak

Researcher Dominic Scheirlinck has released details of the “httpoxy” vulnerabilities, which allow an attacker to control where requests from a web application are sent. This is an old vulnerability that affects PHP, Go, Python and other languages.

Scheirlinck explains the vulnerabilities and possible solutions on a site. The bottom line is that an attacker can determine where a web application sends requests by means of a request header. This is possible because the attacker uses a proxy header, which is interpreted by cgi as a variable. However, this variable, named ‘HTTP_PROXY’, is also used to configure a proxy for outbound connections. The attacker can use this naming conflict to determine a proxy.

As a result, it is possible, for example, that he uses a malicious proxy and in this way can perform a man-in-the-middle attack and intercept data. According to the researcher, the vulnerability is quite old, it was already discovered in 2001 that the libwww-perl module misinterpreted the proxy header. Later, Ruby, Nginx and curl were also found to be susceptible. It now appears that the leak also affects Go, Python and PHP. Scheirlinck reports on the site that it is also possible that other languages ​​are affected.

Vulnerability requires code to run in a cgi environment and consider HTTP_PROXY as a variable. In addition, an http client must trust this proxy and configure it as such, that client must then make an http request instead of an https request. The researcher’s advice is therefore to initially block incoming proxy requests as early as possible before they reach an application. Advisories have been released by Apache, Nginx, Red Hat, Drupal, US CERT, CloudFlare, and Akamai.